STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:SV-230351r627750_rule
V-230351
SRG-OS-000028-GPOS-00009
RHEL-08-020050
CAT II
10
Configure the operating system to enable a user's session lock until that user re-establishes access using established identification and authentication procedures.
Select/Create an authselect profile and incorporate the "with-smartcard-lock-on-removal" feature with the following example:
$ sudo authselect select sssd with-smartcard with-smartcard-lock-on-removal
Alternatively, the dconf settings can be edited in the /etc/dconf/db/* location.
Edit or add the "[org/gnome/settings-daemon/peripherals/smartcard]" section of the database file and add or update the following lines:
removal-action='lock-screen'
Update the system databases:
$ sudo dconf update
Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures with the following command:
$ sudo grep -R removal-action /etc/dconf/db/*
/etc/dconf/db/distro.d/20-authselect:removal-action='lock-screen'
If the "removal-action='lock-screen'" setting is missing or commented out from the dconf database files, this is a finding.
V-230351
False
RHEL-08-020050
Verify the operating system enables a user's session lock until that user re-establishes access using established identification and authentication procedures with the following command:
$ sudo grep -R removal-action /etc/dconf/db/*
/etc/dconf/db/distro.d/20-authselect:removal-action='lock-screen'
If the "removal-action='lock-screen'" setting is missing or commented out from the dconf database files, this is a finding.
M
2921